Personal data put at risk by auction of unclaimed USB drives

Sydney RailCorp now tosses lost USBs after a Sophos report found remaining data.

Here’s an important safety tip, courtesy of the Privacy Commissioner of Australia’s state of New South Wales: erasing data on a USB drive doesn’t mean it’s gone. Encrypting USB data is the only way to keep it safe.

Sophos researchers bought a lot of USB drives from an auction last September, and used automated analysis tools on 50 drives to see what they could find. The drives had been “cleaned” by RailCorp employees before auction using Windows’ “long format.” But while that made files inaccessible to casual browsing, it left the data intact and discoverable through file recovery tools. The company said using more thorough approaches to data removal was “economically unviable.” (During the course of the inquiry, RailCorp decided to cease auctioning off USB drives, and now destroys unclaimed drives).

Sophos found personal tax records, a resume and job application, and hundreds of other personal and work documents (including personal photos and other data). None of the USB drives found were encrypted, and two-thirds of the drives were infected with some form of malware. While assisting the Privacy Commissioner’s investigation, Sophos demonstrated that data recovery from USB drives could be completely automated, apart from plugging in and removing the drives.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.